[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.
|
From: |
Alex Vong |
|
Subject: |
[bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360. |
|
Date: |
Wed, 07 Feb 2018 14:53:12 +0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Tags: security
Hello,
This patch fixes CVE-2018-6360, which is about mpv maybe get tricked
into playing unsafe url returned by youtube-dl.
>From 2a6538067bdad659672f1d19811bad8a5b8d9d56 Mon Sep 17 00:00:00 2001
From: Alex Vong <address@hidden>
Date: Wed, 7 Feb 2018 14:39:40 +0800
Subject: [PATCH] gnu: mpv: Fix CVE-2018-6360.
* gnu/packages/patches/mpv-CVE-2018-6360-1.patch,
gnu/packages/patches/mpv-CVE-2018-6360-2.patch,
gnu/packages/patches/mpv-CVE-2018-6360-3.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/video.scm (mpv)[source]: Use them.
---
gnu/local.mk | 5 +-
gnu/packages/patches/mpv-CVE-2018-6360-1.patch | 138 +++++++++++++++++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-2.patch | 59 +++++++++++
gnu/packages/patches/mpv-CVE-2018-6360-3.patch | 84 +++++++++++++++
gnu/packages/video.scm | 5 +-
5 files changed, 289 insertions(+), 2 deletions(-)
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-1.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-2.patch
create mode 100644 gnu/packages/patches/mpv-CVE-2018-6360-3.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index ca400dae6..0d3da924d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -9,7 +9,7 @@
# Copyright © 2016 Adonay "adfeno" Felipe Nogueira
<https://libreplanet.org/wiki/User:Adfeno> <address@hidden>
# Copyright © 2016, 2017 Ricardo Wurmus <address@hidden>
# Copyright © 2016 Ben Woodcroft <address@hidden>
-# Copyright © 2016, 2017 Alex Vong <address@hidden>
+# Copyright © 2016, 2017, 2018 Alex Vong <address@hidden>
# Copyright © 2016, 2017 Efraim Flashner <address@hidden>
# Copyright © 2016, 2017 Jan Nieuwenhuizen <address@hidden>
# Copyright © 2017 Tobias Geerinckx-Rice <address@hidden>
@@ -911,6 +911,9 @@ dist_patch_DATA =
\
%D%/packages/patches/mhash-keygen-test-segfault.patch \
%D%/packages/patches/mingw-w64-5.0rc2-gcc-4.9.3.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-1.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-2.patch \
+ %D%/packages/patches/mpv-CVE-2018-6360-3.patch \
%D%/packages/patches/module-init-tools-moduledir.patch \
%D%/packages/patches/mongodb-support-unknown-linux-distributions.patch
\
%D%/packages/patches/mozjs17-aarch64-support.patch \
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
new file mode 100644
index 000000000..55fc7daaf
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-1.patch
@@ -0,0 +1,138 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43
+
+To apply the patch to mpv 0.28.0 release tarball, hunk #4 is removed. Hunk #4
+checks if 'mpd_url' is safe, but the support for 'mpd_url' is not available
+for the 0.28.0 release. So it should be safe to remove hunk #4.
+
+From e6e6b0dcc7e9b0dbf35154a179b3dc1fcfcaff43 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <address@hidden>
+Date: Fri, 26 Jan 2018 01:19:04 +0000
+Subject: [PATCH] ytdl_hook: whitelist protocols from urls retrieved from
+ youtube-dl
+
+Not very clean since there's a lot of potential unsafe urls that youtube-dl
+can give us, depending on whether it's a single url, split tracks,
+playlists, segmented dash, etc.
+---
+ player/lua/ytdl_hook.lua | 54 +++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 47 insertions(+), 7 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index dd96ecc01d..b480c21625 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -16,6 +16,18 @@ local ytdl = {
+
+ local chapter_list = {}
+
++function Set (t)
++ local set = {}
++ for _, v in pairs(t) do set[v] = true end
++ return set
++end
++
++local safe_protos = Set {
++ "http", "https", "ftp", "ftps",
++ "rtmp", "rtmps", "rtmpe", "rtmpt", "rtmpts", "rtmpte",
++ "data"
++}
++
+ local function exec(args)
+ local ret = utils.subprocess({args = args})
+ return ret.status, ret.stdout, ret
+@@ -183,6 +195,9 @@ local function edl_track_joined(fragments, protocol,
is_live, base)
+
+ for i = offset, #fragments do
+ local fragment = fragments[i]
++ if not url_is_safe(join_url(base, fragment)) then
++ return nil
++ end
+ table.insert(parts, edl_escape(join_url(base, fragment)))
+ if fragment.duration then
+ parts[#parts] =
+@@ -208,6 +223,15 @@ local function proto_is_dash(json)
+ or json["protocol"] == "http_dash_segments"
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function add_single_video(json)
+ local streamurl = ""
+ local max_bitrate = 0
+@@ -238,14 +264,18 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
++ local url = edl_track or track.url
++ if not url_is_safe(url) then
++ return
++ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+- edl_track or track.url, "auto",
++ url, "auto",
+ track.format_note or "")
+ elseif track.vcodec and track.vcodec ~= "none" then
+ -- video track
+- streamurl = edl_track or track.url
++ streamurl = url
+ end
+ end
+
+@@ -264,7 +294,13 @@ local function add_single_video(json)
+
+ msg.debug("streamurl: " .. streamurl)
+
+- mp.set_property("stream-open-filename", streamurl:gsub("^data:",
"data://", 1))
++ streamurl = streamurl:gsub("^data:", "data://", 1)
++
++ if not url_is_safe(streamurl) then
++ return
++ end
++
++ mp.set_property("stream-open-filename", streamurl)
+
+ mp.set_property("file-local-options/force-media-title", json.title)
+
+@@ -526,14 +562,18 @@ mp.add_hook(o.try_ytdl_first and "on_load" or
"on_load_fail", 10, function ()
+ site = entry["webpage_url"]
+ end
+
+- if not (site:find("https?://") == 1) then
+- site = "ytdl://" .. site
++ -- links with only youtube id as returned by
--flat-playlist
++ if not site:find("://") then
++ table.insert(playlist, "ytdl://" .. site)
++ elseif url_is_safe(site) then
++ table.insert(playlist, site)
+ end
+- table.insert(playlist, site)
+
+ end
+
+- mp.set_property("stream-open-filename", "memory://" ..
table.concat(playlist, "\n"))
++ if #playlist > 0 then
++ mp.set_property("stream-open-filename", "memory://" ..
table.concat(playlist, "\n"))
++ end
+ end
+
+ else -- probably a video
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
new file mode 100644
index 000000000..b37e33a64
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-2.patch
@@ -0,0 +1,59 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/f8263e82cc74a9ac6530508bec39c7b0dc02568f
+
+From f8263e82cc74a9ac6530508bec39c7b0dc02568f Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <address@hidden>
+Date: Fri, 26 Jan 2018 11:26:27 +0000
+Subject: [PATCH] ytdl_hook: move url_is_safe earlier in code
+
+lua isn't javascript.
+---
+ player/lua/ytdl_hook.lua | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index b480c21625..458c94af38 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -84,6 +84,15 @@ local function edl_escape(url)
+ return "%" .. string.len(url) .. "%" .. url
+ end
+
++local function url_is_safe(url)
++ local proto = type(url) == "string" and url:match("^(.+)://") or nil
++ local safe = proto and safe_protos[proto]
++ if not safe then
++ msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
++ end
++ return safe
++end
++
+ local function time_to_secs(time_string)
+ local ret
+
+@@ -223,15 +232,6 @@ local function proto_is_dash(json)
+ or json["protocol"] == "http_dash_segments"
+ end
+
+-local function url_is_safe(url)
+- local proto = type(url) == "string" and url:match("^(.+)://") or nil
+- local safe = proto and safe_protos[proto]
+- if not safe then
+- msg.error(("Ignoring potentially unsafe url: '%s'"):format(url))
+- end
+- return safe
+-end
+-
+ local function add_single_video(json)
+ local streamurl = ""
+ local max_bitrate = 0
+--
+2.16.1
+
diff --git a/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
new file mode 100644
index 000000000..dc3e272d3
--- /dev/null
+++ b/gnu/packages/patches/mpv-CVE-2018-6360-3.patch
@@ -0,0 +1,84 @@
+Fix CVE-2018-6360:
+
+https://github.com/mpv-player/mpv/issues/5456
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360
+https://security-tracker.debian.org/tracker/CVE-2018-6360
+
+Patch copied from upstream source repository:
+
+https://github.com/mpv-player/mpv/commit/ce42a965330dfeb7d2f6c69ea42d35454105c828
+
+From ce42a965330dfeb7d2f6c69ea42d35454105c828 Mon Sep 17 00:00:00 2001
+From: Ricardo Constantino <address@hidden>
+Date: Fri, 26 Jan 2018 18:54:17 +0000
+Subject: [PATCH] ytdl_hook: fix safe url checking with EDL urls
+
+---
+ player/lua/ytdl_hook.lua | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/player/lua/ytdl_hook.lua b/player/lua/ytdl_hook.lua
+index 458c94af38..6c8e78657d 100644
+--- a/player/lua/ytdl_hook.lua
++++ b/player/lua/ytdl_hook.lua
+@@ -264,18 +264,17 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(track.fragments,
+ track.protocol, json.is_live,
+ track.fragment_base_url)
+- local url = edl_track or track.url
+- if not url_is_safe(url) then
++ if not edl_track and not url_is_safe(track.url) then
+ return
+ end
+ if track.acodec and track.acodec ~= "none" then
+ -- audio track
+ mp.commandv("audio-add",
+- url, "auto",
++ edl_track or track.url, "auto",
+ track.format_note or "")
+ elseif track.vcodec and track.vcodec ~= "none" then
+ -- video track
+- streamurl = url
++ streamurl = edl_track or track.url
+ end
+ end
+
+@@ -284,6 +283,9 @@ local function add_single_video(json)
+ edl_track = edl_track_joined(json.fragments, json.protocol,
+ json.is_live, json.fragment_base_url)
+
++ if not edl_track and not url_is_safe(json.url) then
++ return
++ end
+ -- normal video or single track
+ streamurl = edl_track or json.url
+ set_http_headers(json.http_headers)
+@@ -294,13 +296,7 @@ local function add_single_video(json)
+
+ msg.debug("streamurl: " .. streamurl)
+
+- streamurl = streamurl:gsub("^data:", "data://", 1)
+-
+- if not url_is_safe(streamurl) then
+- return
+- end
+-
+- mp.set_property("stream-open-filename", streamurl)
++ mp.set_property("stream-open-filename", streamurl:gsub("^data:",
"data://", 1))
+
+ mp.set_property("file-local-options/force-media-title", json.title)
+
+@@ -499,6 +495,10 @@ mp.add_hook(o.try_ytdl_first and "on_load" or
"on_load_fail", 10, function ()
+
+ msg.debug("EDL: " .. playlist)
+
++ if not playlist then
++ return
++ end
++
+ -- can't change the http headers for each entry, so use the
1st
+ if json.entries[1] then
+ set_http_headers(json.entries[1].http_headers)
+--
+2.16.1
+
diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm
index 8cbe590bf..5865713b8 100644
--- a/gnu/packages/video.scm
+++ b/gnu/packages/video.scm
@@ -6,7 +6,7 @@
;;; Copyright © 2015, 2016, 2017 Efraim Flashner <address@hidden>
;;; Copyright © 2015 Andy Patterson <address@hidden>
;;; Copyright © 2015 Ricardo Wurmus <address@hidden>
-;;; Copyright © 2015, 2016, 2017 Alex Vong <address@hidden>
+;;; Copyright © 2015, 2016, 2017, 2018 Alex Vong <address@hidden>
;;; Copyright © 2016, 2017 Alex Griffin <address@hidden>
;;; Copyright © 2016 Kei Kebreau <address@hidden>
;;; Copyright © 2016 Dmitry Nikolaev <address@hidden>
@@ -1018,6 +1018,9 @@ SVCD, DVD, 3ivx, DivX 3/4/5, WMV and H.264 movies.")
(sha256
(base32
"1d2p6k3y9lqx8bpdal4grrj8ljy7pvd8qgdq8004fmr38afmbb7f"))
+ (patches (search-patches "mpv-CVE-2018-6360-1.patch"
+ "mpv-CVE-2018-6360-2.patch"
+ "mpv-CVE-2018-6360-3.patch"))
(file-name (string-append name "-" version ".tar.gz"))))
(build-system waf-build-system)
(native-inputs
--
2.16.1
Cheers,
Alex
- [bug#30378] [PATCH] gnu: mpv: Fix CVE-2018-6360.,
Alex Vong <=